Network security systems often monitor computer networks for potentially malicious activity. For example, an Intrusion Prevention System (IPS) may perform a security analysis on a HyperText Transfer Protocol (HTTP) exchange between a client and a server. In this example, the IPS may obtain an HTTP request from the client and the corresponding HTTP response from the server and then analyze the HTTP request/response pair to determine whether this HTTP exchange represents a potential security risk.
Unfortunately, the process of identifying HTTP request/response pairs for the IPS's security analysis may be fairly difficult in certain cloud-based environments. For example, a distributed cloud-based environment may include multiple Internet Content Adaption Protocol (ICAP) servers that handle network traffic exchanged between various clients and web servers. In this example, the ICAP server that handles an HTTP request from a client may not be the same ICAP server that handles the corresponding HTTP response from a web server. As a result, these ICAP servers may have difficulty matching the HTTP request with the corresponding HTTP response.
As another example, a multi-tenant cloud-based environment may include an ICAP server that multiplexes network traffic exchanged between various clients and web servers over a single network connection. In other words, the ICAP server may receive HTTP requests from multiple clients and HTTP responses from multiple web servers via the same network connection. As a result, this ICAP server may have difficulty matching the HTTP requests with the corresponding HTTP responses.
Unfortunately, without the entire HTTP request/response pair, the IPS's security analysis may have diminished effectiveness. The instant disclosure, therefore, identifies and addresses a need for improved systems and methods for performing security analyses on network traffic in cloud-based environments.